Skip to content Skip to navigation
University of Warwick
  • Study
  • |
  • Research
  • |
  • Business
  • |
  • Alumni
  • |
  • News
  • |
  • About

University of Warwick
Publications service & WRAP

Highlight your research

  • WRAP
    • Home
    • Search WRAP
    • Browse by Warwick Author
    • Browse WRAP by Year
    • Browse WRAP by Subject
    • Browse WRAP by Department
    • Browse WRAP by Funder
    • Browse Theses by Department
  • Publications Service
    • Home
    • Search Publications Service
    • Browse by Warwick Author
    • Browse Publications service by Year
    • Browse Publications service by Subject
    • Browse Publications service by Department
    • Browse Publications service by Funder
  • Help & Advice
University of Warwick

The Library

  • Login
  • Admin

Analyzing and patching SPEKE in ISO/IEC

Tools
- Tools
+ Tools

Hao, Feng, Metere, Roberto, Shahandashti, Siamak F. and Dong, Changyu (2018) Analyzing and patching SPEKE in ISO/IEC. IEEE Transactions on Information Forensics and Security, 13 (11). pp. 2844-2855. doi:10.1109/TIFS.2018.2832984

[img]
Preview
PDF
WRAP-analyzing-patching-SPEKE-Hao-2018.pdf - Accepted Version - Requires a PDF viewer.

Download (988Kb) | Preview
Official URL: http://dx.doi.org/10.1109/TIFS.2018.2832984

Request Changes to record.

Abstract

Simple password exponential key exchange (SPEKE) is a well-known password authenticated key exchange protocol that has been used in Blackberry phones for secure messaging and Entrust's TruePass end-to-end web products. It has also been included into international standards such as ISO/IEC 11770-4 and IEEE P1363.2. In this paper, we analyze the SPEKE protocol as specified in the ISO/IEC and IEEE standards. We identify that the protocol is vulnerable to two new attacks: an impersonation attack that allows an attacker to impersonate a user without knowing the password by launching two parallel sessions with the victim, and a key-malleability attack that allows a man-in-the-middle to manipulate the session key without being detected by the end users. Both attacks have been acknowledged by the technical committee of ISO/IEC SC 27 and ISO/IEC 11770-4 revised as a result. We propose a patched SPEKE called P-SPEKE and present a formal analysis in the Applied Pi Calculus using ProVerif to show that the proposed patch prevents both attacks. The proposed patch has been included into the latest revision of ISO/IEC 11770-4 published in 2017.

Item Type: Journal Article
Subjects: Q Science > QA Mathematics > QA76 Electronic computers. Computer science. Computer software
Divisions: Faculty of Science > Computer Science
Library of Congress Subject Headings (LCSH): Computers -- Access control -- Passwords, Institute of electrical and electronics engineers -- Standards, International Standardizing Organization
Journal or Publication Title: IEEE Transactions on Information Forensics and Security
Publisher: IEEE
ISSN: 1556-6013
Official Date: November 2018
Dates:
DateEvent
November 2018Published
3 May 2018Available
10 April 2018Accepted
Volume: 13
Number: 11
Page Range: pp. 2844-2855
DOI: 10.1109/TIFS.2018.2832984
Status: Peer Reviewed
Publication Status: Published
Publisher Statement: © 2018 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
Access rights to Published version: Restricted or Subscription Access
RIOXX Funder/Project Grant:
Project/Grant IDRIOXX Funder NameFunder ID
306994 European Research Councilhttp://viaf.org/viaf/130022607
EP/M013561/2[EPSRC] Engineering and Physical Sciences Research Councilhttp://dx.doi.org/10.13039/501100000266
Related URLs:
  • Other Repository

Request changes or add full text files to a record

Repository staff actions (login required)

View Item View Item

Downloads

Downloads per month over past year

View more statistics

twitter

Email us: wrap@warwick.ac.uk
Contact Details
About Us